CVE-2025-32756
Published: 13 May 2025
Summary
CVE-2025-32756 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Fortinet Fortindr. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A stack-based buffer overflow vulnerability, tracked as CVE-2025-32756 and also associated with CWE-787, affects multiple Fortinet products including FortiCamera versions 2.1.0-2.1.3, 2.0.x, and 1.1.x; FortiMail 7.6.0-7.6.2, 7.4.0-7.4.4, 7.2.0-7.2.7, and 7.0.0-7.0.8; FortiNDR 7.6.0, 7.4.0-7.4.7, 7.2.0-7.2.4, and 7.0.0-7.0.6; FortiRecorder 7.2.0-7.2.3, 7.0.0-7.0.5, and 6.4.0-6.4.5; and FortiVoice 7.2.0, 7.0.0-7.0.6, and 6.4.0-6.4.10. The flaw resides in the handling of HTTP requests containing a specially crafted hash cookie and carries a CVSS 3.1 score of 9.8.
Remote unauthenticated attackers can exploit the issue over the network by sending malicious HTTP requests, resulting in arbitrary code or command execution with full impact to confidentiality, integrity, and availability.
Fortinet has published advisory FG-IR-25-254 detailing the vulnerability, while CISA has added CVE-2025-32756 to its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score rose from a low baseline to a peak of 0.4163 on 2026-03-10 before receding to the current value of 0.2228, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-14705
Vulnerability details
A stack-based buffer overflow vulnerability [CWE-121] vulnerability in Fortinet FortiCamera 2.1.0 through 2.1.3, FortiCamera 2.0 all versions, FortiCamera 1.1 all versions, FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, FortiMail 7.2.0 through 7.2.7, FortiMail 7.0.0 through 7.0.8, FortiNDR 7.6.0, FortiNDR…
more
7.4.0 through 7.4.7, FortiNDR 7.2.0 through 7.2.4, FortiNDR 7.0.0 through 7.0.6, FortiRecorder 7.2.0 through 7.2.3, FortiRecorder 7.0.0 through 7.0.5, FortiRecorder 6.4.0 through 6.4.5, FortiVoice 7.2.0, FortiVoice 7.0.0 through 7.0.6, FortiVoice 6.4.0 through 6.4.10 allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie.
- CWE(s)
- KEV Date Added
- 14 May 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of HTTP cookie input to reject oversized or malformed hash values before they reach the vulnerable stack buffer.
Enforces memory-protection mechanisms (ASLR, DEP, stack canaries) that block reliable exploitation of the stack-based buffer overflow.
Mandates timely application of vendor patches that eliminate the flawed cookie-handling code in the listed Fortinet versions.